I’m not sure I get the threat posed by an app that presents a fake apple pay button on screen. You push the button. So what? What happens next?

There are several other things a malicious app can do with fake UI (asking for a password is one), but I don’t see the threat posed by an ok button. The app could fake not just the button, but the tap as well if it wanted.